Future Tense

We Still Haven’t Learned the Major Lesson of the 2013 Target Hack

Forty million credit and debit cards, 70 million customers’ information, nine years of repeating the same mistakes.

The bull’s-eye logo of a Target store's sign, with a blue sky behind it.
Bull’s-eye. Joe Raedle/Getty Images

Slate has relationships with various online retailers. If you buy something through our links, Slate may earn an affiliate commission. We update links when possible, but note that deals can expire and all prices are subject to change. All prices were up to date at the time of publication.

From Breached! by Daniel J. Solove and Woodrow Hartzog. Copyright © 2022 by Danial J. Solove and Woodrow Hartzog and published by Oxford University Press. All rights reserved.

Sometimes the thing we are looking for is right in front of us and yet we still don’t see it. A great novella by Gabriel García Márquez called Chronicle of a Death Foretold begins with the vicious fatal stabbing of the main character. The rest of the story reveals that all the warning signs about the murder were in plain sight yet ignored by everyone. The murder was readily preventable—but, because of human nature, it was almost inevitable.

Advertisement
Advertisement
Advertisement
Advertisement

The story of most data breaches follows the same pattern. We have read about thousands of data breaches, and the moral of most of these stories boils down to the same thing: The breaches were preventable, but people made blunders. What is quite remarkable about these stories is that they haven’t evolved that much in decades. The same mistakes keep happening again and again. After so many years, and so many laws to regulate data security, why haven’t the stories changed?

Let us begin with a classic data breach tale involving one of the largest and most notable breaches of its time—the Target breach of 2013. The story has many of the common themes of data breach stories, and what makes it particularly fascinating is that it is a sinister version of a David and Goliath story. Target was Goliath, and it was well-fortified. With its extensive resources and defenses, Target was far more protected than most organizations. Yet, it still failed. This fact should send shivers down our spines.

Advertisement
Advertisement

In mid-December 2013, right in the middle of the holiday shopping season, executives at Target found out some dreaded news: Target had been hacked. It was cruel irony that the second-largest discount store chain in the United States quite literally had a target sign on it—Target’s logo is a red and white bullseye. The hackers hit it with an arrow straight into the center. Executives at Target learned about the breach from Department of Justice officials, who informed them that stolen data from Target was appearing online and that reports of fraudulent credit card charges were starting to pop up. Quite concerned, the Target executives immediately hired a forensics firm to investigate.

Advertisement

What they discovered was devastating. It wasn’t just a small breach, or a sizeable one, or even a big one—it was a breach of epic proportions. Target had the dubious distinction of having suffered the largest retail data breach in U.S. history.

Advertisement
Advertisement
Advertisement

Over the course of two weeks starting in November 2013, hackers had stolen detailed information for about 40 million credit and debit card accounts, as well as personal information on about 70 million Target customers. The hackers had begun to sell their tremendous data haul on black-market fraud websites.

The timing couldn’t have been worse for Target. It suffered the single largest decline of holiday transactions since it first began reporting the statistic. Target sales plummeted during a season that traditionally accounts for 20 to 40 percent of a retailer’s annual sales. To stop the bleeding, Target offered a 10 percent discount across the board. Nevertheless, the damage was catastrophic. The company’s profits for the holiday shopping period fell a whopping 46 percent.

Advertisement
Advertisement

The pain was just beginning. On top of the lost profits, costs associated with the breach topped $200 million by mid-February 2014. These costs would rise significantly due to bank reimbursement demands, regulatory fines, and direct customer service costs. About 90 lawsuits were filed, leading to massive lawyer bills.

Advertisement
Advertisement

What made this all the more unnerving for Target is that it had devoted quite a lot of time and resources to its information security. Target had more than 300 information security staff members. The company had maintained a large security operations center in Minneapolis, Minnesota, and had a team of security specialists in Bangalore that monitored its computer network 24/7. In May 2013—just six months before the hack— Target had implemented expensive and sophisticated malware detection software from FireEye.

Advertisement

With all this security—an investment of millions of dollars, state-of-the-art security software, hundreds of security personnel, and round-the- clock monitoring—how did Target fail?

A common narrative told to the public is that this entire debacle could be traced to just one person who let the hackers slip in. In caper movies, the criminals often have an inside guy who leaves the doors open. But the person who let the hackers into Target wasn’t even a Target employee and wasn’t bent on mischief. The person worked for Fazio Mechanical, a Pennsylvania-based HVAC company, a third-party vendor hired by Target. The Fazio employee fell for a phishing trick and opened an attachment in a fraudulent email the hackers had sent to him. Hidden in the email attachment lurked the Citadel Trojan horse—a malicious software program that took root in Fazio’s computers.

Advertisement
Advertisement
Advertisement

The Citadel Trojan horse was nothing novel—it was a variant of a well-known malware package called ZeuS and is readily detectable by any major enterprise anti-virus software. But Fazio lacked the massive security infrastructure that Target had, allowing the malware to remain undetected on the Fazio computers. Through the Trojan horse, the hackers obtained Fazio’s log-in credentials for Target’s system.

With access to Target, the hackers unleashed a different malware program, one they bought on the black market for just a few thousand dollars. Experts such as McAfee director Jim Walker characterized the malware as “absolutely unsophisticated and uninteresting.”

At first, the malware went undetected, and it began compiling millions of records during peak business hours. This data was being readied to be transferred to the hackers’ location in Eastern Europe. But very soon, FireEye flagged the malware and issued an alert. Target’s security team in Bangalore noted the alert and notified the security center in Minneapolis. But the red light was ignored.

Advertisement

FireEye flagged as many as five different versions of the malware. The alerts even provided the addresses for the “staging ground” servers, and a gaffe by the hackers meant that the malware code contained usernames and passwords for these servers, meaning Target security could have logged on and seen the stolen data for themselves. Unfortunately, the alerts all went unheeded. Furthermore, given that several alerts were issued before any data were actually removed from the Target systems, FireEye’s automated malware deletion feature could have ended the assault without the need for any human action. However, the Target security team had turned that feature off, preferring a final manual overview of security decisions.

Advertisement
Advertisement

With FireEye’s red lights blinking furiously, the hackers began moving the stolen data on Dec. 2, 2013. The malware continued to exfiltrate data freely for almost two weeks. Law enforcement officials from the Department of Justice contacted Target about the breach on Dec. 12, armed not only with reports of fraudulent credit card charges, but also actual stolen data recovered from the dump servers, which the hackers had neglected to wipe.

Advertisement
Advertisement
Advertisement

The aftermath of the breach caused tremendous financial damage to Target. It remains unknown what the precise cost of the breach was, but an estimate in Target’s annual report of March 2016 put the figure at $291 million. The company’s reputation was harmed. The CIO resigned. For customers, there was increased risk of future fraud. Daily spending and withdrawal limits had to be placed on many affected accounts, and new credit cards had to be issued, causing consumers significant time loss while updating their card information everywhere.

The breach went down in the annals of data breach history—one for the record books. But it would soon be overshadowed by even bigger breaches.

As more devices, appliances, and vehicles are hooked up to the internet, physical safety is at grave risk. Hackers can break into our home devices. They can peer at our children through our baby cameras. They can snoop around through our home security cameras. They can listen in on us through our home assistant devices. They can gain control of our cars. They can also hack into implantable devices in our bodies, such as pacemakers or insulin pumps.

Advertisement

As more and more of our sensitive data is maintained in vast dossiers about us, as our biometric information is gathered and stored—such as our fingerprints, eye scans, facial data, and DNA—what will the future look like if organizations can’t keep it secure?

We are hurtling forward into a perilous future, with organizations collecting more data and with the consequences of its misuse becoming more dire—and even deadly.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.

Advertisement